Apple Developing Software to Remove Flashback Malware

[ed724]

Macs don't get "PC viruses."

Macs don't get PC viruses ? What the hell does PC mean anyway. Stop calling windows machine PC's versus Macs are Macs. They're both PC's, they use different operating systems. PC - PERSONAL COMPUTER. A MAC IS A PERSONAL COMPUTER.

How about WINtel veruse MACtel ?

 

[Shanekarpi251]

I got infected by this the other day while I was at school and had to take my mac in to be looked at before I was allowed on the schools wireless internet anymore. I was surprised this could happen on a mac but good that it wasn't something too serious.

 

[Oletros]

The 600,000 number sure looks like an exaggerated SWAG to me.

Anything to back this or is only wishful thinking?

----------

It could also be said that Apple doesn't "serve" it anymore and hasn't done since the release of lion.

Even on Lion, is Apple the one serving Java, not Oracle

 

[Eduardo R.]

Macs don't get PC viruses ? What the hell does PC mean anyway. Stop calling windows machine PC's versus Macs are Macs. They're both PC's, they use different operating systems. PC - PERSONAL COMPUTER. A MAC IS A PERSONAL COMPUTER.

How about WINtel veruse MACtel ?

Are you angry, or something? That's the term people usually use to differentiate the two. No need to get angry over it.

People aren't going to stop referring to personal computers that use the Windows OS as "PC's" just because you don't like it.

 

[GenesisST]

It could also be said that Apple doesn't "serve" it anymore and hasn't done since the release of lion.

If you want to eat off the menu then expect it to get less attention than the normal dishes.

But it was on the menu and can still be ordered from the Apple restaurant (to continue the analogy) if you want it.

If you never need Java, it will never be installed. But if you do, Apple's feline OS will install it... very most likely positively from its own servers...

 

[MonkeySee....]

Even on Lion, is Apple the one serving Java, not Oracle

Reluctantly

 

[cotak]

1. Make sure your built-in Mac firewall is enabled in System Preferences > Security > Firewall
   
   
2. Uncheck "Open "safe" files after downloading" in Safari > Preferences > General
   
   
3. Uncheck "Enable Java" in Safari > Preferences > Security. This will completely protect you from the Flashback malware. Leave this unchecked until you visit a trusted site that requires Java, then re-enable only for your visit to that site. (This is not to be confused with JavaScript, which you should leave enabled.)
   
   
4. Change your DNS servers to OpenDNS servers by reading this.
   
   
5. Be careful to only install software from trusted, reputable sites. Never install pirated software. If you're not sure about an app, ask in this forum before installing.
   
   
6. Never let someone else have access to install anything on your Mac.
   
   
7. Don't open files that you receive from unknown or untrusted sources.
   
   
8. Make sure all network, email, financial and other important passwords are complex, including upper and lower case letters, numbers and special characters.
   
   
9. Always keep your Mac and application software updated. Use Software Update for your Mac software. For other software, it's safer to get updates from the developer's site or from the menu item "Check for updates", rather than installing from any notification window that pops up while you're surfing the web.

That's all you need to do to keep your Mac completely free of any virus, trojan, spyware, keylogger, or other malware. You don't need any 3rd party software to keep your Mac secure.

1) Doing all that is going against the whole marketing notion that Apple has build around it self (and often heard around here in defence of Mac and iOS) of "it just works". Doing all that is putting people in a situation of being much closer to the user experience on windows.

Which leads us to...

2) None of your suggestions actually address what happens when the next trojan/worm releases. It might not be targetting Java. It could be the infection vector is through email, IM and any number of other means. Simply put the routine you listed is not an iron clad solution. Which links us to point 1.

And then...

3) The real question that no one really debated yet is what is Apple's own internal situation with this trojan? This is a really important question. Personally I don't believe that they are 100% immune from all threats. And unless they had an updated version of Java internally, any machine (at this point everyone would yell WTF Apple) with Java enabled could potentially have been infected. And this is a big deal because it is likely employees with access to sensitive information are using Macs. This time the exploit is relatively harmless but I can see a targeted attack using a zero day exploit against Apple in the future. It is likely because of Apple's public image. It is the most valuable company, it's conformist culture etc. It's a giant bulls eyes for black hats.

So at this point seeing as this issue could have been fixed months ago. How safe does anyone feel about storing their personal info in icloud? How safe is iOS app store?

And on a much simpler level you can do everything right as a user and still get hit in the future. Exploits are not always so easily avoidable like this one. Likely few people here knows or remembers but in the past there was actually an exploit against boardcom's wifi driver on windows. All you need to do to get exploited was having your wifi enabled at a local cafe where someone was out looking for a victim.

For me, I think there needs to be a shift towards seeing security as being important at Apple.

 

[jonnysods]

Glad to see that they are stepping in!

 

[JHankwitz]

But Apple will likely do nothing for those tens of MILLIONS of old Macs which can not be upgraded to the new OS. Apple is irresponsible.

Do you really think there are tens of MILLIONs of Mac PowerPCs or original Intel still in use?

 

[GGJstudios]

Doing all that is going against the whole marketing notion that Apple has build around it self (and often heard around here in defence of Mac and iOS) of "it just works". Doing all that is putting people in a situation of being much closer to the user experience on windows.

Most of that is simply computing common sense, such as not pirating software or letting others install software on your computer or using secure passwords. None of those things are OS-specific. In fact, of that list, only the first 3 items are specific to Mac OS X.

None of your suggestions actually address what happens when the next trojan/worm releases. It might not be targetting Java. It could be the infection vector is through email, IM and any number of other means.

It depends on the threat. For example, I've been recommending disabling Java in Safari since October, 2010, when the boonana.a trojan was news. Anyone who disabled Java back then was not affected by the Flashback trojan. If a new attack vector is discovered that requires additional defense, I'll add the appropriate information. Computer security, like all computer technology, is a constantly-changing environment, so it's wise to stay informed.

Simply put the routine you listed is not a iron clad solution.

It is an iron clad solution for all Mac OS X malware presently in the wild. There IS no protection for something that does not yet exist.

Personally I don't believe that they are 100% immune from all threats.

No one who is informed, including Apple, has ever claimed that they are.

 

[Oletros]

Reluctantly

Reluctantly or not, they are the ones serving Java. They have forked it so Oracle can't serve it

 

[Mattie Num Nums]

I've received Windows patches every day over the past 4 days. It's an ongoing battle.

At least they are proactively doing something about it.

 

[mysticbluebmw]

That's right, Apples don't get 'PC virus'....apparently only Apple Trojans.

And that's protection you can count on, that way you don't get lots of little Apple babies

 

[yg17]

Glad to see that they are stepping in!

Two months too late, and after a PR cluster****. But hey, let's all credit Apple for taking action because we all know that Microsoft would get the same sort of praise from users here if they slept on a security exploit for 2 months....right?

 

[JHankwitz]

Originally Posted by JHankwitz
The 600,000 number sure looks like an exaggerated SWAG to me.

Anything to back this or is only wishful thinking

Anything to prove it otherwise? As my old grandpappy used to tell me over 50 years ago, "Never believe anything you hear or read, and only half of what you see." After working over 40 years in the industry, I know how correct he was. Everything is perceived and spun with unique agendas to serve personal gain.

 

[Oletros]

Anything to prove it otherwise? As my old grandpappy used to tell me over 50 years ago, "Never believe anything you hear or read, and only half of what you see." After working over 40 years in the industry, I know how correct he was. Everything is perceived and spun with unique agendas to serve personal gain.

Well, Dr. Web has explained their methodology and some other sources have seen the same amount.

Any reason to think they're lying?

 

[ddarko]

Anything to prove it otherwise? As my old grandpappy used to tell me over 50 years ago, "Never believe anything you hear or read, and only half of what you see." After working over 40 years in the industry, I know how correct he was. Everything is perceived and spun with unique agendas to serve personal gain.

Oy vey. The 600,000 figure comes from a methodology that's been publicly described and reproduced by multiple independent security researchers. Kaspersky Labs, one of the most prominent and active security firms around, describes what they did here:

https://www.securelist.com/en/blog/208193441/Flashfake_Mac_OS_X_botnet_confirmed

Kaspersky Labs (along with the initial researcher Dr. Web) - cracked the encryption in the Flashback trojan that told an infected computer how to communication with command servers. They then set up their own command server and counted the number of bots that phoned back into the mothership. It couldn't be more straightforward. It's not a guesstimate, statistical sampling or mathematical extrapolation. It's literally counting. 600,000+ unique machines checked in. They further analyzed the machines for OS identification and 98% of them were running the Mac OS. It's all there - simple, logical and concise. Rather than rely on generalized conspiracy paranoia "I don't believe anything I read," how about you describe what's wrong with this methodology?

Incidentally, this is the same process security folks use to reverse engineer and track down the command servers of botnets so they can take them down. Apple and ISPs are using this as we speak to hunt for command servers (Apple actually identified one of the security researcher's "fake" command servers as malicious and tried to have it taken down). The methodology works - the proof is in the ability to identify and shut down command servers.

 

[Mattie Num Nums]

Everything is perceived and spun with unique agendas to serve personal gain.

Sounds like Apples marketing slogan In all seriousness though how can anyone defend a company that literally just said F you to its customers until it became bad press? Thats like cheating on your wife and then finally saying sorry just because you got caught.

 

[Member(TM)]

They further analyzed the machines for OS identification and 98% of them were running the Mac OS.

To be precise, in the article they use the expression "most likely" when estimating 98% as the percentage of packets from Mac OS X hosts, and they conclude "it is very likely that most of the machines running the Flashfake bot are Macs". The particular fingerprinting techniques used are not described, and the margin of error is not estimated except to state that the technique can be used for making order-of-magnitude estimates. My personal impression is that indeed most of the botnet machines are Macs, but I wouldn't say that the evidence provided by the article is absolute.

 

[praveenpg]

How many Macs actually, really, have this reported problem. The 600,000 number sure looks like an exaggerated SWAG to me. Most of my friends and I have Intego VirusBarrier X6 installed which is able to detect this problem, but none have had it reported. Please post if you know "first-hand" of anyone with this problem.

Yes, you and your small band of friends provides the perfect sample size for the whole world.

 

[ddarko]

To be precise, in the article they use the expression "most likely" when estimating 98% as the percentage of packets from Mac OS X hosts, and they conclude "it is very likely that most of the machines running the Flashfake bot are Macs". The particular fingerprinting techniques used are not described, and the margin of error is not estimated except to state that the technique can be used for making order-of-magnitude estimates. My personal impression is that indeed most of the botnet machines are Macs, but I wouldn't say that the evidence provided by the article is absolute.

Kaspersky did describe what their OS id method was by linking to a wikipedia article on TCP/IP stack fingerprinting As the wiki article says:

http://en.wikipedia.org/wiki/TCP/IP_stack_fingerprinting

TCP/IP stack fingerprinting is the passive collection of configuration attributes from a remote device during standard layer 4 network communications. The combination of parameters may then be used to infer the remote machine's operating system (aka, OS fingerprinting), or incorporated into a device fingerprint.

As you point out, Kaspersky noted this method infers the OS by measuring the parameters - Mac OS has a characteristic way of implementing the parameters that's unique to it. It may not be a foolproof method - what method is - but it's reliable and routinely by websites to analyze their traffic. There's some wiggle room with the 600,000 figure but not to the degree the deniers are claiming, without supplying any evidence or arguments what's wrong with the methodology of course - they just "know" it's wrong or their "gut" tells them it's wrong because they don't know anyone who's infected. Bah, silly researchers! What chance does their puny scientific method have against an denier's gut feeling?

 

[bydandie]

So, Macs can be exploited by malware that doesn't require the user to do anything. It's a fact of life, although you either switch off functionality (ironic that many GUIs for security devices use Java!) or rely on the vendor to provide timely patches. Apple dropped the ball here, and arguing about the name of the malware doesn't change that.

 

[ed724]

Are you angry, or something? That's the term people usually use to differentiate the two. No need to get angry over it.

People aren't going to stop referring to personal computers that use the Windows OS as "PC's" just because you don't like it.

Not mad Eduardo. Just laughing at people like you that follow the dumb-masses.

 

[CmdrLaForge]

How about my old PowerPC iMac G5 running Leopard? How can I update it? There is no Java update released from Apple.

 

[GGJstudios]

How about my old PowerPC iMac G5 running Leopard? How can I update it? There is no Java update released from Apple.

Just disable Java in Safari Preferences.